Preventing cybersecurity disasters—large or small—rather than having to recover from them is preferable, for obvious reasons. However, experts at the National Institute of Standards and Technology (NIST) are concerned that overreliance on prevention is as bad as being underprepared. In the NIST special publication Guide for Cybersecurity Event Recovery (PDF), authors Michael Bartock, Jeffrey Cichonski, Karen Scarfone, Matthew Smith, Murugiah Souppaya, and Greg Witte explain why:

"There has been widespread recognition that some cybersecurity events cannot be stopped and solely focusing on preventing cyber events from occurring is a flawed approach."

That attitude among NIST experts started gaining traction two years ago when the Federal Government's Office of Management and Budget published the agency's Cybersecurity Strategy and Implementation Plan (CSIP). The following quote, in particular, captured the attention of NIST personnel:

The CSIP defines recovery as, "The development and implementation of plans, processes, and procedures for recovery and full restoration, in a timely manner, of any capabilities or services that are impaired due to a cyber event."

The report continues, "Although there are existing federal policies, standards, and guidelines on cyber event handling, none of them focuses solely on improving cybersecurity recovery capabilities, and the fundamental information is not captured in a single document. The previous recovery content tends to be spread out in documents such as security, contingency, disaster recovery, and business continuity plans."

NIST's Guide for Cybersecurity Event Recovery

Enter the NIST's Guide for Cybersecurity Event Recovery, which is a compilation of information and processes that can be used by private and public organizations to create recovery plans and be better prepared if a cybersecurity event occurs.

The Guide's authors believe the recovery function consists of two phases: "The immediate tactical recovery phase is largely achieved through the execution of the recovery playbook planned prior to the incident with input from the NIST Cybersecurity Framework (CSF)."

More subtle is the second strategic phase, which according to the authors, allows organizations to improve pre-recovery functions mentioned in the CSF, in particular: Identify, Protect, Detect, and Respond (Figure A), reducing the likelihood and impact of future incidents.

The authors of the Guide go into detail on how to develop an effective recovery process. A brief overview of each step follows.

1. Plan for cyber-event recovery

Effective planning is critical, according to the authors. Planning enables organizations to:

determine crisis-management and incident-management roles;

make arrangements for alternate communication channels, services, and facilities;

explore "what if" scenarios based on recent cyber events that have negatively impacted other organizations;

identify and address gaps before a crisis occurs, reducing their impact on business; and

exercise technical and non-technical aspects of recovery, such as personnel considerations, legal concerns, and facility issues.

2. Continuous improvement

The Guide's authors warn that recovery planning is not static, adding, "Cyber-event recovery planning is not a one-time activity. The plans, policies, and procedures created for recovery should be continually improved by addressing lessons learned during recovery efforts and by periodically validating the recovery capabilities themselves."

3. Recovery metrics

Rather than guessing if the recovery process worked as planned in a cybersecurity event, the authors suggest metrics to remove any guesswork. "It is beneficial to determine these metrics in advance, both to understand what should be measured and to implement the processes to collect relevant data," mentions the authors. "This process also requires the ability to determine where the metrics that have been identified can be most beneficial to the recovery activity and identify which activities cannot be measured in an accurate and repeatable way."

Some suggested metrics are:

Costs due to the loss of competitive edge from the release of proprietary or sensitive information

Legal costs

Hardware, software, and labor costs to execute the recovery plan

Costs relating to business disruption, such as system downtime, lost employee productivity, and lost sales

4. Building the playbook

The authors did not forget one of the more serious concerns presented in the Cybersecurity Strategy and Implementation Plan: Recovery guidelines do not reside in a single document, but are spread throughout security, contingency, disaster-recovery, and business-continuity plans.

Understanding mission-supporting information systems, as well as any dependencies surrounding them, is important under normal operating conditions. "In the event of a cybersecurity event, this information becomes paramount, and the processes and procedures need to be presented in an actionable manner to effectively restore business functions quickly and holistically," conclude the authors. "The playbook is a way to express tasks and processes required to recover from an event in a way that provides actions and milestones specifically relevant for each organization's systems."

Conclusion

Throughout the Guide, the authors stress that the document's main purpose is to provide guidance. "This document is not intended to be used by organizations responding to an active cyber event, but as a guide for developing recovery plans in the form of customized playbooks," the authors explain in the executive summary. "As referred to in this document, a playbook is an action plan that documents an actionable set of steps an organization can follow to recover successfully from a cyber event."

For more IT security advice, subscribe to our Cybersecurity Insider newsletter.